AWS ABCs – Logging Into a New EC2 Instance

Ok, you’ve just launched an Amazon EC2 instance (ie, a virtual machine) and you’re ready to login and get to work. Just once teeeensy problem though… you have no idea how to actually connect to the instance!

This post will walk through how to log into brand new Linux/BSD and Windows instances (the steps are slightly different for different OS families).

Regardless of the operating system, one requirement must be met: you must have connectivity into the Virtual Private Cloud (VPC) where you’ve launched the instance. This could be by giving the instance a public IP address so it’s reachable via the Internet or it could be via a VPN or other private connectivity into the VPC. The rest of the article assumes that this basic network connectivity is in place.

Linux/BSD Instances

Linux/BSD instances are accessible via SSH. When the instance is launched, the Amazon Machine Image (AMI)–which acts like the template from which your instance is cloned–is setup to generate the necessary SSH host keys on first boot. You will have to provide the user key.

The Linux/FreeBSD AMIs used to launch the instance must support the generation of SSH host keys on first boot. The AMIs from the AWS Marketplace do support this. AMIs from third-parties may not.

When you launched your instance via the AWS Console the very last step would’ve been to choose whether you want to generate a new key pair or use an existing one. Based on your response, EC2 will place the appropriate public key inside the instance.

If you’re not a regular SSH user and you don’t have your own key pair yet, go ahead and let EC2 generate a key pair for you. You will be prompted to download the private part of the pair which you must keep secure and protected. You will not be able to download the private key after being initially prompted to do so, so go ahead and download it and don’t misplace it!

AWS EC2 generate a new SSH key pair

If you have your own key pair that you want EC2 to use, navigate to EC2 in the AWS Console, then under the Network & Security heading, open Key Pairs. This page will allow you to upload your own public key which you can then instruct EC2 to use when it launches a Linux/BSD instance.

If you’re using the OpenSSH client on the CLI, you can pass in the location of the private key with the -i option:

ssh -i /location/to/myprivkey.pem ...

If you’re on a Windows workstation and using PuTTY, you will have to do a one-time conversion of the private key that you downloaded from EC2 by following these instructions.

Lastly, you need to know which user account to log in as. In most cases, the non-root user account is ec2-user. This is true for most of the Linux AMIs in the AWS Marketplace and for the FreeBSD AMI. Debian’s user is admin, Centos’ user is centos, and Ubuntu’s user is ubuntu. Go figure. Check with the provider of the AMI if in doubt.

When you’ve settled on which username to use, fetch the public IP address or public DNS hostname from the EC2 console and initiate an SSH session. You will find the IP/hostname information by clicking on instance in the list of instances and then scrolling through the information about the instance at the bottom of the screen.

Windows Instances

First, the easy way: if you chose to join the Windows instance to a directory when you launched it, go ahead and log in with the appropriate domain credentials. You’re done!

Otherwise, just like for a Linux/BSD instance, you will notice that you were prompted for a key pair when launching the instance in the AWS Console and just like the Linux/BSD instances, you can either have EC2 generate one for you or you can provide your own. Unlike the Linux/BSD instances, the password for the Administrator account is auto-generated by EC2 when the instance is launched and then the plaintext of the password is encrypted using the public key of the specified key pair.

The Windows AMI used to launch the instance must support the auto-generation of the password. The Windows AMIs from the AWS Marketplace do support this. AMIs from third-parties may not.

To retrieve the encrypted password, navigate to EC2 in the AWS Console, select the Windows instance that was just launched and click the Connect button. The popup will indicate the public DNS hostname of the instance, the configured admin username (which can vary by region and language) and will show a button for retrieving the password.

AWS EC2 retrieve Windows administrator password

Click the Get Password button. You will be prompted to provide your private key before the password is revealed.

With this information in hand, fire up your Remote Desktop client and connect to the given hostname using the given username and password.